Evaluation of the effectiveness of compensating protection measures against apt attacks exploiting Zerologon vulnerabilities

Abstract

The need to assess the effectiveness of the security systems being created for significant objects of critical information infrastructure determines the need for the development of simple and adequate mathematical models for the implementation of computer attacks. The use of mathematical modeling methods during the design of a security system of a significant object allows, without significant costs and without any influence on the technological process, to justify the requirements for the system as a whole or for its individual parts. The aim of the work is to develop a model of the process of conducting a multi-stage computer attack that exploits the Zerologon vulnerability, based on its representation by a Markov random process with discrete states and continuous time. Used methods: methods of the theory of Markov processes, probability theory, computational mathematics, as well as graph theory. The novelty of the work lies in the application of computational mathematics methods for the functional analysis of the results of solving the Kolmogorov system of equations, which allows using the known methods of analyzing continuous functions to solve the problem of optimizing the compensating protection measures included in the security system. A mathematical model has been developed that makes it possible to determine the required probabilistic-temporal characteristics of protective equipment in the designed security systems. When evaluating the effectiveness of protection measures, an indicator of the effectiveness of the security system of a signifi cant object of critical information infrastructure was introduced as the ratio of the probability of the security system being triggered to the probability of successfully completing the attack by the intruder. The dependence of the protection time on the ratio of the time parameters of the applied compensatory protection measures and the actions of the intruder is estimated. The results of the study can be used in the design of security systems for significant objects of critical information infrastructure, taking into account the specified parameters of the security system and the intruder.